New Simplocker ransomware locks tens of thousands of devices around the globe, comes with a new wrinkle in its strategy

Sep 3, 2015 19:07 GMT  ·  By

Simplocker, the Android ransomware that's been discovered by ESET and Kaspersky in 2014, and which also made a comeback earlier in January, has now been seen again, locking tens of thousands of Android users out of their devices.

This new strand of the Simplocker family has been discovered and analyzed by security firm Check Point, which also observed some changes to how this new version operates.

First and foremost, the ransomware, which was previously known to show FBI-themed messages, now poses as the NSA. But that's not all. If the user is located in another country, Simplocker has the ability to detect this detail and show a localized message instead.

Still infecting users via a Flash Player application

The only thing that hasn't changed is its ability to hide as a legitimate application, still using its old trick of masquerading as a Flash Player app.

Once the user clicks the "Activate" button on this fake application, all hell breaks loose, and Simplocker slowly starts taking over the phone.

First, it initiates contact with its command-and-control (C&C) server, then shows a huge banner over the user's screen, and while this happens, slowly starts encrypting files.

As with all modern ransomware, the encryption key is kept on the C&C server, which in this case, Check Point has observed, is contacted via XMPP (Extensible Messaging and Presence Protocol) messages.

This was also noticed by Avast in January, but now Check Point researchers found a new wrinkle in their mode of operation.

"We observed [...] that the malware operators use an automated process behind an anonymous TOR node to pull messages from the C&C and send back commands to the devices," says Ofer Caspi from Check Point. "The hundreds of thousands of messages we intercepted shows that this is not a trivial incident, but rather a very serious and orchestrated campaign."

Most antivirus engines are capable of detecting it

Check Point has discovered the XMPP accounts used in the C&C communications and reported them to the XMPP server operations, which had then deactivated.

Nevertheless, the current Simplocker campaign is still going strong, the only positive detail being that most antivirus engines seem to detect it pretty easily when encountering it.

Currently, the Check Point team estimates that there are tens of thousands of infected Android devices, and over 10,000 users paid the ransom that ranges from $200 / €180 to $500 / €450.

If you like the geeky stuff, Check Point has provided the technical, step-by-step autopsy of a Simplocker infection on their blog.

Simplocker is very well detected by AV engines
Simplocker is very well detected by AV engines

Photo Gallery (7 Images)

Simplelocker now masquerades as the NSA
Simplelocker comes with localized messagesSimplelocker poses as a legitimate Flash Player app
+4more